Re: Should proxy have one interface or two

["ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>]

Gleb,

I would like to explain what I think are the possible reasons with
help of below scenarios

1) Internet ----- (public interface)---- Proxy ---- (internal
interface)-------LAN

 The public interface of proxy would have a public IP . The internal
IPs can be PATed/NATed to this interface's IP or can have a diferrent
IP in the same public segment ( as that of pub int.). However the
internal lan would mostly have private IP subnet. So, two different
subnets , one for public internet and other for private lan. And so we
would need one IP from each segment on the Proxy device. The
interfaces can be virtual or physical. Both the subnets(public n
private) cannot be/should not be a part of same subnet because it will
defeat the purpose of a proxy and we are bound to have routing
complications.

2) If we would still go ahead and have a single interface the setup
will look like below where the Lan & public subnet are in the same
subnet. So, Lan IPs would have public IPs !!!  But you would have
still have routing issue ( explained in point 4)

Internet ------ (public and private subnet )---Proxy.

3) You can say that we can add a router /L3 device in between like
below.The router will take care of NAT/PAT.

Internet ------ (pub int)----RTR ------- Proxy
                                    |
                                 Lan

In this set up the router will have three interfaces. One to internet(
which does SNAT) , Proxy and Lan. The lan's PCs  would have proxy
configured in their browser. When the lan wants to go on internet via
the proxy  , the router will have to send this to proxy's IP ( so the
router need to have default gateway pointing to proxy). Now once the
proxy receives and processes this, it would send it back to the router
to go to the internet because proxy's default gateway is router.
However, the router has default gateway pointing to the proxy !!! The
packet will loop between proxy and the router and will never traverse
outside because router has to send all the traffic to the proxy for
processing and the proxy has to send the processed traffic to internet
via the router. Please note, the router would also need a default
route pointing to the internet gateway !!! So the traffic from Lan
would never make it to internet via such 'one arm routing' on proxy
set up.

4) The above scenario will work if we configure separate VRFs on
router, one VRF for LAN , other for proxy and third global routing
table. So, we have pushed the need of two interface from proxy to the
router (with help of VRF) !

Since we are humans , we can apply all sort of knowledge and still get
it working with proxy having one interface.However, this will
complicate rest of the network and increase the cost of the solution
as we would need additional devices.Additionally, it will also make
the troubleshooting complicated for the network administrators in case
of issue.

Simplest solution is to have two interface on the proxy !!! ;-)

Hope this will help to understand.Let me know if you have any questions.

Thanks,
Aditya Govind Mukadam



On Fri, Jul 11, 2008 at 5:39 PM, Gleb Paharenko <gpaharenko () gmail com> wrote:
> Hi, list.
>
> In many network designs web proxy server has two interfaces. One is
> for internal clients, second is outgoing interface for proxy.
> Why it is not use one interface both for incoming requests from users
> and for outgoing requests from proxy? Of course this interface should
> be in separate subnet with firewalled control on it and it should be
> SNATed as well. Hope I clearly describe my question, of why it is
> better to
> have two interfaces in different subnets for web-proxy.
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
> http://www.linkedin.com/in/gpaharenko